Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Why do a lot of people use both these functions on a string?
I see a lot of stripslashes(strip_tags($field)); (or the other way around)
Isn’t strip_tags enough to filter any xss stuff and such things?
Escaping data has nothing to do with
strip_tagsorstripslashes. These functions filter certain characters out of a string while “escaping” encodes certain characters so they won’t be interpreted by a browser or database.You can use
strip_tagsto remove HTML tags in strings being sent to PHP from the browser. Better yet, you could also safely store the same data without passing it throughstrip_tagsif you usehtmlspecialcharsto escape any characters that could delimit tags when you send the data back to the browser.stripslashesremoves slashes from a string, and you only need to worry about it if “magic quotes” are enabled. It’s a hold-over from an earlier time when the PHP devs naively assumed every piece of data coming from the browser was destined for a database and that developers couldn’t be trusted to escape the database themselves.